When an API requires that a client authenticates to it, i've seen two different scenarios used and I am wondering which case I should use for my situation.

Example 1. An API is offered by a company to allow third parties to authenticate with a token and secret using HTTP Basic.

Example 2. An API accepts a username and password via HTTP Basic to authenticate an end user. Generally they get a token back for future requests.

My Setup: I will have an JSON API that I use as my backend for a mobile and web app. It seems like good practice for both the mobile and web app to send along a token and secret so only these two apps can access the API blocking any other third party.

But the mobile and web app allow users to login and submit posts, view their data, etc. So I would want them to login via HTTP Basic as well on each request.

Do I somehow use a combination of both these methods or only send the end user credentials (username and token) on each request? If I only send the end user credentials, do I store them in a cookie on the client?